Currently I've got a siteUserAdmin authenticated on the admin database:
{
"_id" : "admin.siteUserAdmin",
"user" : "siteUserAdmin",
"db" : "admin",
"credentials" : {
"MONGODB-CR" : "...."
},
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
When I run:
use admin;
db.auth('siteUserAdmin', 'supersecret');
Everything authenticates just fine.
However when I then do:
use myotherdb
db.addUser({ user: 'chris', pwd: 'anothersecretpassword', roles: ['dbOwner']});
It doesn't add the user, I get the following:
couldn't add user: not authorized for insert on admin.system.users at src/mongo/shell/db.js:128
What am I doing wrong? This all looks nuts.
FYIL I'm using MongoDB version 2.6.10.
Random side note: weirdly createUser isn't a function, even though according to the MongoDB docs it was added in 2.6.
I was seeing this exact error in Robomongo 0.8.5. I copy/pasted the command to the the Mongo cli client and it worked fine.
Authenticated as siteUserAdmin to admin db on both clients.
Hopefully this helps someone else.
Related
With MongoDB Compass is it possible to see users for a database or create new ones?
Ive managed it on the command line with:
mongo
use (my database name)
db.createUser( { user: "myuser", pwd: "password", roles: ["readWrite"] })
However I would still much prefer a GUI to do this.
No, it isn't (at least until version 1.20.4 of Compass)
If you're trying to create a new DB with a user that "owns" that DB (i.e. has read/write and admin commands for that DB), here's how to do that using only MongoDB Compass:
Open up MongoDB Compass and connect with your admin user.
Create a new DB with the "+" button at bottom of the DB list.
Click the MONGOSH shelf/tab at the bottom of the screen and paste this:
use NAME_OF_NEW_DB
db.createUser(
{
user: "NAME_OF_NEW_USER",
pwd: "NEW_USER_PASSWORD",
roles: [ { role: "dbOwner", db: "NAME_OF_NEW_DB" } ]
}
)
Other roles are explained in the MongoDB docs.
If I run a command in CLI after made up a user. I can see that by using this command.
db.system.users.find().pretty()
{
"_id" : "admin.admin",
"userId" : UUID("****"),
"user" : "admin",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "***",
"storedKey" : "***",
"serverKey" : "***"
},
"SCRAM-SHA-256" : {
"iterationCount" : 15000,
"salt" : "***",
"storedKey" : "***",
"serverKey" : "***"
}
},
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
But I can't see the 'system.users' collection in the Compass client.
I think, the Compass does not support this the listing and creating user features.
But, if you use other client (eg. TablePlus), You can see those hidden documents
I am running mongd with Auth enabled
mongod --auth
I have a read write user on a DB.
db.system.users.find()
Logs -
{ "_id" : "products_development.user_rw", "user" : "user_rw", "db" : "products_development", "credentials" : { "MONGODB-CR" : "0e857eaebba13dca9b53eb4440ab1657" }, "roles" : [ { "role" : "readWrite", "db" : "products_development" } ] }
I am able to login with the above user credentials using mongo client - Authentication works fine
mongo -uuser_rw -p123456 --authenticationDatabase products_development
Reading the tables inside the collection works as well
use products_development
db.table1.find()
So the user is getting Authorised.
But when i try to Read from Reactivemongo i am getting the below error.
assertion 13 not authorized for query on products_development.table1 ns:products_development.table1 query:{ _id: ObjectId('5564ba210b00009900150c72') }
Authentication is working fine connection is getting setup.
I am using 0.10.5.0.akka23 version, mongodb 2.6.8.
I am the admin of a MongoDB 2.4 which is in production. When I am trying to activate profiling on some databases, it returns:
{ "ok" : 0, "errmsg" : "unauthorized" }
all the other profile-related commands return also a sort of unauthorized error messages.
my admin roles and rights are as follows:
{ "_id" : ObjectId("..."), "pwd" : "...", "roles" : [ "userAdminAnyDatabase", "readWriteAnyDatabase", "clusterAdmin" ], "user" : "admin" }
Do I need any other role to be able to profile, or there is another problem?
You need to add the dbAdminAnyDatabase role:
dbAdminAnyDatabase
dbAdminAnyDatabase provides users with the same access to database
administration operations as dbAdmin, except it applies to all logical
databases in the MongoDB environment.
http://docs.mongodb.org/v2.4/reference/user-privileges/
I just upgraded to 2.6. I run the authSchemaUpgrade. But after that, I managed to remove all users from the database (Its a private small database, so that is nothing too bad). Now I have created a new user admin:
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
After I have db.auth("admin","..") on the admin database I should be able to query any other databases too, but after I do:
user otherDatabase
show collections
I get:
2014-06-09T09:33:36.853+0000 error: {
"$err" : "not authorized for query on otherDatabase.system.namespaces",
"code" : 13
} at src/mongo/shell/query.js:131
What am I missing?
You need to give your admin user the role readWriteAnyDatabase in order to allow that user to query other databases.
You may want to also consider giving your admin user dbAdminAnyDatabase and clusterAdmin roles.
This is probably a stupid newbie question. I scoured the Google-scape for answers and found a few things on stackoverflow, but nothing really works yet.
I am trying to create a database, and a user who can insert entries to the db.
So far I managed to create the following users & associated privileges:
$ ./mongo localhost:29525/admin -username admin -password "somesecret"
MongoDB shell version: 2.4.9
connecting to: localhost:29525/admin
> db.system.users.find()
{ "_id" : ObjectId("533dc34753178fa1d0707308"), "user" : "admin", "pwd" : "145efb041abb3f9dd2531b26c90f2a4c", "roles" : [ "userAdminAnyDatabase" ] }
{ "_id" : ObjectId("533dc9c03eb5b535e9691f21"), "user" : "node", "pwd" : "a2cbb645cec16dedd4a4f9ee53a332a7", "roles" : [ "readWrite", "dbAdmin" ] }
{ "_id" : ObjectId("533dd1c52d0f16b6fae61188"), "user" : "node2", "pwd" : "488fba587da677d48825b425ebf7031e", "roles" : [ "userAdminAnyDatabase", "userAdmin", "clusterAdmin", "dbAdminAnyDatabase" ] }
I ideally wanted to give the "admin" user full privileges, but unfortunately admin's 'userAdminAnyDatabase' privilege is not enough to enable this:
> db.users.update({"admin" : "somesecret"}, {$addToSet: {'roles': [ 'dbAdminAnyDatabase', 'clusterAdmin']}}, false, false)
not authorized for update on admin.users
I wondered if maybe I just wasn't actually executing the command as "admin", so I re-authenticated as user admin. Still no joy:
> db.auth("admin", "somesecret")
1
> db.users.update({"admin" : "somesecret"}, {$addToSet: {'roles': [ 'dbAdminAnyDatabase', 'clusterAdmin']}}, false, false)
not authorized for update on admin.users
So I tried the "node2" user - I had created that with more privileges (dbAdminAnyDatabase, clusterAdmin, ..), so maybe that would work? But alas it also fails:
> db.auth("node2", "anothersecret")
1
> db.users.update({"admin" : "somesecret"}, {$addToSet: {'roles': [ 'dbAdminAnyDatabase', 'clusterAdmin']}}, false, false)
not authorized for update on admin.users
That aside, I tried to create a database 'mynewdb', and add a collection 'users'. As the user with most privileges is "node2", I switched to that user first. But that user cannot insert records into the new database's new collection:
> db.auth("node2", "anothersecret")
1
> use mynewdb
switched to db mynewdb
> db.users.save( {username: "philipp"})
not authorized for insert on testapp.users
Nor for that matter can "admin".
Sorry for my ignorance, I have spent some hours Googling here and am still struggling to piece together jigsaw pieces presented by the many disparit bits of info on the MongoDB docs.
Thanks for any help!
This answer ONLY pertains to MongoDB 2.4.X and lower. The methods for doing this are significantly different under MongoDB 2.6
You are correctly querying the "system.users" collection in your examples:
db.system.users.find()
But your updates are to the "users" collection, which the admin user cannot access as it only has "userAdminAnyDatabase". Can you try running your update against "system.users" instead? ie
db.system.users.update({"admin" : "somesecret"}, {$addToSet: {'roles': [ 'dbAdminAnyDatabase', 'clusterAdmin']}})